Cyber Security challenges for the shipping industry

During the 2019 SAFETY4SEA London Conference, Mr. Chronis Kapalidis, Cyber Expert, Hudson Analytix, talked about cyber threats in shipping. He noted that cyber attacks are becoming more concerning and for this reason the industry must invest more in improving its cyber resilience.

Cyber threats are one of the main global risks as indicated by the World Economic Forum. According to the 2018 Global Risk Index, It is third in likelihood and fifth in potential impact . Consequently, the global trends, also presented in the same report indicate that this will only get worse because there is a rising cyber dependency in all industries, globally. Similarly, for the shipping industry, it is obvious now that we will be relying much more on digital systems and services in order to maximize productivity and cost effectiveness.

When Hudson started engaging in cyber security, the level of awareness was much lower than it is today.. But being optimistic about it, it can be argued that the industry is starting to come to grips with this new insidious threat,as we start to understand that the problem is there, but we still struggle to offer concrete solutions. Hudson’s research in partnership with research institutes in the UK, has identified three main issues for that:

Other mandatory actions required prior to the implementation of IMO’s cyber requirements in January 2021 (BWM, SC).

But there are specific researches out there that indicate how big the problem is. The Crew Connectivity Report Survey in 2018, shows how important internet connectivity on board is on where seafarers choose to work. One of the first things that they look at is ‘will I have internet access on the ship?’. Anotehr research indicates the level of budget allocation regarding cyber security based on company size. The biggest the company, the biggest the investment. But the thing is we have a lot of small family-owned ship companies and they are not investing a lot. The third one is a big of an oxymoron, because it initially querieshow well prepared the shipping industry is and there is a positive response (64%). On the other hand, when the same people are asked how much protected their company actually is, the numbers are reversed.

My advice is that we should be able to understand what the risk is andhow a company can be affected by a cyber breach, in order to minimize risk and look at cyber security as a Return-on_investment. When I am asked how vulnerable the industry actually is, I can tell you that the industry has been a target for the last nine years. Our research indicates that it started back in 2010, but we are sure there have been unreported incidents in the past. For example, a Greek shipping company suffered the most successful pirate attacks in Somalia, because pirates paid hackers to get access to the shipping company’s system and they were able to do that through wi-fi lightbulbs. The company installed wi-fi lightbulbs in their offices, because they wanted to have the latestgadget and they never changed the username and password! So the hackers were able to gain access to the shipping company’s cargo management system and were able to identify the vulnerable targets. The industry is targeted and there is a huge problem there.

We have also conducted a research to find out what are the vulnerabilities against cyber attacks, what are the consequences of an attack and what are the affected fields for ports and shpis. Surprisingly for both entities, the vulnerability is low, but as digitalization progresses stay assured that it will grow. But if you look at the consequences of a cyber attack, they are rather conciderable. During this research we broke down the elements of a ship in different sub-components. We identified 20 sub-components in the ship’s ecosystem. The important thing to understand is that cyber security is not an IT issue. Cyber security does not only target our data, but for ships specifically and ports, cyber has a great physical element in it. So if you suffer from a cyber breach , you will have physical consequences: a ship running aground, a collision, or even loss of life. It is not only loss of data.

What should be understood is that cyber security should be dealt from a risk-based approach and this is what the IMO is saying as well. But in order to do that, you need to follow a top-down approach. You need to help and facilitate the managers to understand what the problem is, to understand that it is not only an IT issue, and then try to train all staff within the company. It is not only going to affect your balance sheet, but it is going to cause litigation problems, it is going to cause reputational problems and will affect your company both internally and externally.

A solution to that is to look at cyber security from a capability maturity approach. This is a risk-based analysis. The Cyber division at Hudson has been working on a solution that is taking into consideration all existing regulations, guidelines and best practices, and we have come up with a model that can assess your enterprise cyber risk and offer solutions.

Our analysis so far has indicated that most companies invest in cyber capabilities. So if you invest in cyber security, you will be able to minimize risk and then sustain this capability. If you do that you will not have only minimized your cyber security risk, but also the insurance risk.

But what does the future hold? Regarding the adoption of digitalization, research indicates that this is becoming a trend, since, over the last three years for different kinds of ships internet connectivity has doubled or tripled. You will have more and more digitalized services on board and this opens new doors to cyber threats.

On the port environment, UK port associations have started looking at smart ports, more connectivity and more digital solutions. This is another area that needs to be taken into consideration, which is affecting the shipping industry.

Of course there is blockchain. It is becoming a major buzzword and a lot of people are talking about blockchain in shipping. We are trying to see the value of it. From what we have seen, blockchain is a nice to have, but is certainly not a differentiator that will contribute to cost minimization and increased efficiency.

So what should we do? The Danish government has issued the first of its kind cyber security strategy for the shipping industry. It engages all Danish flag ships and all ships sailing in Danish waters. We know that the IMO is really slow in reacting and implementing regulations, but a way of doing that is not only being industry-led, but also to look at flag states and how they can regulate that approach. It is time for once for the shipping industry to be proactive for a problem that has reached its ecosystem and is affecting day-to-day operations before it is too late.

The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.

Chronis Kapalidis, Cyber Expert, Hudson Analytix

Chronis Kapalidis is the European Representative of Hudson Analytix, promoting the company’s synergies in Europe on issues related to security, both physical and cyber. He recently concluded a fellowship at the International Security Department, Chatham House, on maritime cybersecurity, where he now stands as Academy Associate. He also stands as visiting research fellow at the Dartmouth Centre for Seapower and Strategy at Plymouth University, and as a board member in several academic and scientific bodies.

Chronis was an officer at the Hellenic Navy for 20 years. He was specialised on operations, communications, intelligence and IT infrastructure, while participating in several NATO, EU and UN operations. His research interests include cybersecurity, defence studies, international and maritime security.

He has published widely for Foreign Affairs, Chatham House, International Affairs, the Academy for Strategic Analyses, has been interviewed by The New York Times, the Independent and The Wall Street Journal and has participated in several maritime and cybersecurity related conferences and forums. Chronis has competed several projects at Chatham House on Cybersecurity for Critical National Infrastructure, in general, and the maritime sector specifically. He recently created the first digital learning course on maritime cybersecurity for Lloyd’s Maritime Academy.

He is currently based at the University of Warwick, where he is pursuing his doctoral degree on cyber risk quantification for the maritime sector. He holds an MA in International Relations and Global Security from Plymouth University, a PGCert in Defence Management and Leadership from the Hellenic Naval War College and BSc in Naval Warfare from the Hellenic Naval Academy, along with several professional certificates